Re: ssh by user amandabackup [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/04/2011 11:33 AM, Matthew Saltzman wrote:
> On Tue, 2011-01-04 at 09:11 -0500, Daniel J Walsh wrote: 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/04/2011 04:08 AM, Gordon Messmer wrote:
>>> On 01/02/2011 06:45 AM, Matthew Saltzman wrote:
>>>> Aha! In /var/log/messages, on the other hand, this happens:
>>>>
>>>>          Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
>>>>          Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
>>> ...
>>>> So I will file the bug.
>>>
>>> I believe you'll need to fix that like so:
>>>
>>> # semanage fcontext -a -t user_home_dir_t /var/lib/amanda
>>> # semanage fcontext -a -t user_home_t "/var/lib/amanda/.*"
>>> # restorecon -r /var/lib/amanda
>> No This would probably cause amanda to break then. Does labeling .ssh as
>> ssh_home_t solve the problem?
> 
> Now that you mention it, no.  (Sorry, I sang your praises a bit too soon
> 8^).
> 
> The messages on the client side (before and after the relabeling):
> 
>         Jan  4 11:10:06 yankee setroubleshoot: SELinux is
>         preventing /usr/sbin/sshd from search access on the
>         directory /var/lib/amanda. For complete SELinux messages. run
>         sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d
>         Jan  4 11:10:06 yankee setroubleshoot: SELinux is
>         preventing /usr/sbin/sshd from search access on the
>         directory /var/lib/amanda. For complete SELinux messages. run
>         sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d
> 
> And the full sealert:
> 
>         SELinux is preventing /usr/sbin/sshd from search access on the
>         directory /var/lib/amanda.
>         
>         *****  Plugin catchall (100. confidence) suggests
>         ***************************
>         
>         If you believe that sshd should be allowed search access on the
>         amanda directory by default.
>         Then you should report this as a bug.
>         You can generate a local policy module to allow this access.
>         Do
>         allow this access for now by executing:
>         # grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M
>         mypol
>         # semodule -i mypol.pp
>         
> So it looks like /var/lib/amanda is the problem, not the .ssh
> subdirectory.  /var/lib/amanda's label is:
>         
>         drwxr-xr-x. amandabackup disk
>         system_u:object_r:amanda_var_lib_t:s0 /var/lib/amanda/
>         

You would need the combination of relabeling the homedir and searching
/var/lib/amanda.

WHich is what we will be adding to policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0jTrgACgkQrlYvE4MpobPRIgCeMQnY139E2M4Ehwt0oeNb9kbH
adMAnjN5W96sF3VGiI3XXZLJi5o+nS+c
=pLpV
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux